Expand Kubernetes examples for multiple categories of CEL use

[liggitt]

Feature Description

The existing Kubernetes examples in the drop-down are really nice, but CEL is supported in multiple contexts in Kubernetes, which have their own distinct inputs, documentation, and expected return types:

1. CRD validation rules
   • self / oldSelf variables contain data
   • boolean return value is expected
2. Admission webhook matchConditions and ValidatingAdmissionPolicy expressions
   • object / oldObject variables contain data, request..., params, namespaceObject variables contain metadata, authorizer variable allows access to authorization functions
   • boolean return value is expected
3. OIDC claim mapping and user validation rules (new in 1.29, configured via file in kube-apiserver arg, design, in-progress docs)
   • claims variable contains claim data for validation (boolean return value) or extracting (string / string array return value, depending on the context)
   • user variable contains user info for validation
   • boolean return value is expected
4. Authorization matchConditions (new in 1.29, configured via file in kube-apiserver arg, design, in-progress docs)
   • request variable contains SubjectAccessReview data
   • boolean return value is expected

The existing examples could be even more useful with some additions:

1. examples per category
2. links to docs for that category
3. access to functions (like authorizer) with mocked return values available to that category
4. type checking of the expected return value(s) for that category

[knrc]

Thanks for these @liggitt, they are very useful. #33 makes a start on some of these items, however there's still more to go

[knrc]

We have a PR about to merge which will cover some of these use cases. The PR introduces support for ValidatingAdmissionPolicy (except parameters) and the Admission Webhooks.

[theobarberbany]

👋 Hey all

Is there any plan, or appetite for contributions from the project to support params in VAPs?

I'm currently trying to learn about & write some VAPs, I'd find this really useful!

[knrc]

Is there any plan, or appetite for contributions from the project to support params in VAPs?

I'm currently trying to learn about & write some VAPs, I'd find this really useful!

Yes, definitely. It's slightly more complex than what's currently there, as it can be an open-ended set of params.

Shameless plug for Anish's and my talk at KubeCon, give it a few seconds and you will see multiple params being used.